CVE-2019-10173
arbitrary code execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2019-10173 About?
This vulnerability is a deserialization flaw in XStream 1.4.10 that allows a remote attacker to execute arbitrary shell commands. It affects systems where the security framework is uninitialized, leading to severe system compromise. Exploitation is typically straightforward for an attacker who can supply malicious XML or JSON input.
Affected Software
Technical Details
The vulnerability is a regression of CVE-2013-7285, affecting XStream API version 1.4.10 before 1.4.11. If XStream's security framework has not been explicitly initialized, the application reverts to an insecure default. This allows a remote attacker to craft malicious XML or any other supported format (e.g., JSON) containing serialized objects that, upon unmarshalling, trigger the execution of arbitrary shell commands on the underlying system. This bypasses the intended deserialization safeguards, granting the attacker control over the host.
What is the Impact of CVE-2019-10173?
Successful exploitation may allow attackers to execute arbitrary shell commands, resulting in complete system compromise, data manipulation, unauthorized access, or denial of service.
What is the Exploitability of CVE-2019-10173?
Exploitation is remote and requires the ability to send malicious XML or JSON input to an application using the vulnerable XStream library. No authentication or prior privileges are required for the attack to succeed, assuming the security framework is uninitialized. The complexity is moderate, involving the creation of a specially crafted input payload. The primary prerequisite is the use of XStream 1.4.10 and the absence of a properly initialized security framework. The likelihood of exploitation is high in environments that process untrusted external data without strict deserialization controls.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10173?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.11 → Upgrade to 1.4.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://access.redhat.com/errata/RHSA-2019:4352
- https://access.redhat.com/errata/RHSA-2020:0727
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173
- https://access.redhat.com/errata/RHSA-2019:3892
- http://x-stream.github.io/changes.html#1.4.11
- https://github.com/x-stream/xstream
- https://access.redhat.com/errata/RHSA-2020:0445
What are Similar Vulnerabilities to CVE-2019-10173?
Similar Vulnerabilities: CVE-2021-21347 , CVE-2021-39141 , CVE-2021-29505 , CVE-2021-39154 , CVE-2013-7285
